3 stages of preparation that can help healthcare orgs prepare for the worst.
Healthcare organizations must improbe their IoT security.
As healthcare providers are steadily adopting the Internet of Medical Things — the network of smart, interconnected clinical devices and applications that automatically gather and relay information — technology has established a sizeable base from which to launch medical digitization efforts, with an estimated 4-million-plus devices now in use.
Despite the appreciable sense of progress accompanying this digitization, the Internet of Medical Things, or IoMT, is not without costs and, more important, risks. The valuable personal data collected and conveyed through IoMT devices, for example, and security vulnerabilities in many devices make them attractive targets for cybercriminals.
In 2018 alone, we've seen successful attacks on MGM hospital in India, Singapore’s largest healthcare institution and Hong Kong's Department of Health. Given the hacks and regular government advisories on emerging threats and cyber incidents, it’s easy to think the sector is under sustained attack. Medical device vendors disclose vulnerabilities when they find them, but the burden to detect and prevent cyberattacks lies equally with healthcare providers.
Developing a cybersecurity strategy in coevolution with your IoMT strategy is critical for the success of healthcare information technology initiatives. Proactive, rather than reactive, cybersecurity tools, techniques and training are required to ensure that organizations have an up-to-date and granular view of what medical devices are connected to their network, where access and end points lie and what the risk level is for a breach of those points — all in real time.
Such a security strategy, designed for superior asset visibility, is important to countering and preventing threats — facilitating operational continuity of critical assets, while protecting patient and data safety.
But with so many devices and attack paths to consider, defining and implementing an IoMT cybersecurity strategy can be daunting. It’s for this reason that experts recommend a phased approach for healthcare operations looking to build their cybersecurity knowledge and capabilities.
The familiar “crawl, walk, run” mantra for managing any organizational or technological change fits well — allowing for a gradual progression as people learn and systems catch up through incremental steps designed to avoid stressing or stretching the organization too much.
In the crawl stage, the healthcare provider establishes a team to identity all medical devices in use, and to raise organization-wide awareness of security challenges. The organization can then walk, assessing risks and creating a baseline measurement of current exposure/protection states. When that stage is fully adopted, and corresponding competencies developed, the organization can move on to the next stage and run. Here, administrators can look to implement a comprehensive cybersecurity program that establishes detection, prevention and response mechanisms.
Assembling a cross-functional team of healthcare and IT professionals is critical to making sure that technical and business considerations are addressed as the strategy is developed and implemented.
This team should take the lead in raising awareness of IoMT threats and security best practices across the organization, communicating regularly and championing the rollout of new technologies and training. Members of this team must make it their business to keep abreast of developments in regulations such as HIPAA, HITECH and various technical standards. This is especially important because the regulatory landscape is complex, ever-changing and demands regular attention.
The team’s first task should be to prepare a complete inventory of connected medical devices and critical assets across the entire hospital network. If this task sounds simple, I assure you that it is not. Even in highly developed economies, many hospitals and healthcare organizations rely on paper-based, incomplete and out-of-date records. In the United States, the Affordable Care Act and pursuant electronic health record requirements have gone a long way to improving the situation. However, there remains a great deal of ground yet to be covered when it comes to organized and digitized healthcare documentation.
It is therefore essential to create a current list of all connected devices and implement a reliable process for its regular maintenance. Best-in-class companies are deploying technology solutions that continuously monitor and update medical device inventory across the entire ecosystem. Automated IT tools can significantly reduce the time taken to identify devices, their operational states and network locations, as well as keep track of changes.
After each device is identified, its risk level — the risk of it being compromised, intentionally or unintentionally — must be evaluated.
A risk assessment for each device is determined based on many factors, including device model and make, how it sits within the network, known vulnerabilities for the device and internal and external threats. These help determine a level of criticality for each device, reflecting its importance to the effective operation of the healthcare provider.
Known vulnerabilities, such as hard-coded or default passwords, end-of-life operating systems, and publicly issued Common Vulnerabilities and Exposures can be gathered from multiple sources, including industry bodies, vendor advisories and research-derived threat intelligence.
This analysis can then be used to quantify the risks to the organization. That can be devised, for example, according to the number of patients potentially impacted if a device is compromised or the likely costs to the healthcare provider resulting from unplanned remedial action.
The risk assessment also provides input to the organization’s wider security architecture and network security approach. To this effect, it’s important that administrators make sure that device and asset security measures mesh with existing security protocols and controls.
Once all medical devices and critical assets have been identified, classified and assessed for risk, security professionals should build a baseline for normal operations. Knowing the profile of normal network traffic activity helps security analysts spot potential threats by flagging anomalous deviations from the baseline.
Security controls are technical or administrative safeguards used to avoid, counteract or minimize risks. Software patch management and password polices are common examples, but medical devices have other unique considerations.
A technology solution that allows for a security access policy based on device type, clinical need and network connectivity should be created for each device. This ensures that only allowed traffic can reach the protected device, dramatically reducing its attack surface.
It is important to note, however, that implementing controls isn’t the end of the process.
A good IoMT cybersecurity strategy needs to be embedded into the organization, meaning device audits, risk assessments, training curricula and controls should all be updated regularly. In addition, intelligence should be shared with partners and team members on a continuous basis.
Inevitably, some degree of cultural change will be required in order for an IoMT security strategy to be successful, and that must come from the top of the organization. Leaders must provide funding and resources, establish governance processes to measure effectiveness and lead by example.
Finally, despite best efforts with prevention, the organization should ready itself for a security breach. The chances of one happening will be significantly reduced by following the steps outlined above, but it can’t be discounted — and suffering a breach without being prepared with a contingency plan could be catastrophic. Incident response plans, such as those published by NIST, are critical tools for handling technical and non-technical responses to cybersecurity events and incidents.
Healthcare cybersecurity is a journey more than a destination, and you’ll never really arrive and be done. The goal is to constantly be learning, improving and moving in the right direction. It’s an ongoing process — but it’s one best undertaken with a clear mind and good directions.
Jon Rabinowitz is vice president of marketing for CyberMDX.
Get the best insights in healthcare analytics directly to your inbox.